Prometheus Blogs

FISMA In A Sesame Seed

01/27/2016

FISMA is a law (The Federal Information Security Management Act of 2002) which requires the protection of federal information resources. FISMA is a part (Title III) of the E-Government Act of 2002. FISMA was later updated by The Federal Information Security Modernization Act of 2014 (also called FISMA).

FISMA requires1 compliance with NIST Federal Information Processing Standards (FIPS). FISMA also requires annual review of federal information security, with the results reported to the Office of Management and Budget (OMB), which in turn reports to Congress. OMB Circular A-130 provides policy on how to implement FISMA.

Federal Acquisition Regulation (FAR) sections 7.103 (v) and (w) require agencies to pass NIST compliance down to vendors. The push-down requirement can manifest itself (for example) in the form contractual clauses that contain content specified by the Code of Federal Regulations (CFR) clause 52.239-72.

In addition to FIPS, NIST publishes many security documents in the Special Publication (SP) 800 series. Most of these are non-compulsory guidance, as far as FISMA is concerned. SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” is explicitly required by FISMA, through FIPS 200. Other NIST special publications may also be required. For example, the above mentioned CFR clause additionally requires (among other things): SP 800-18 “Guide for Developing Security Plans for Federal Information Systems”, SP 800-26 “Security Self Assessment Guide for Information Technology Systems” (which is obsolete, superseded by SP 800-53), SP 800-30 “Guide for Conducting Risk Assessments”], and SP 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems”

The main NIST security methodological guidance is the Risk Management Framework (RMF), described in NIST Special Publication 800-37. SP 800-37 in turn references many other documents, on the development of security plans, risk assessments, security control selection, and security control evaluation.

Intelligence and military agencies use ICD 503, or the DoD RMF 2,3 instead of the NIST RMF. Cloud applications use FedRAMP.


  1. The FIPS compliance requirement is specified in a roundabout way: NIST is directed to make standards and guidelines, and the Secretary of Commerce is required to prescribe compulsory standards. The FIPS standards are designated as compulsory. NIST also has many Special Publications in the SP 800 series, which are mostly guidelines rather than requirements.

  2. http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf

  3. http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf

Reader Comments
  1. sdvsvd said... around 5 months ago
    http://xn--o80b67oh5az7z4wcn0j.zxc500.com - 모바일카지노 http://xn--7m2b7o.zxc500.com - 코인카지노 http://xn--o79ao3sg8eg0k2f.zxc500.com - 바둑이사이트 http://xn--o80b78a992buje88c.zxc500.com - 우리카지노 http://xn--o80bz00bbzcu6f.zxc500.com - 정선카지노후기
  2. hsdsvd said... around 4 months ago
    http://xn--o80b910a26eepc81il5g.zxc700.com - 카지노사이트 http://xn--o80bz00bbzcu6f.zxc700.com - 엠카지노 http://xn--c79a67g3zy6dt4w.zxc700.com - 카지노사이트검증 http://xn--299aj0wmjfoqh97o.zxc700.com - 맞고사이트 http://xn--on3b21eb4bmwh91q.zxc700.com - 식보사이트
  3. yeezy said... around 1 day ago
    http://www.nikeshoes.us.org/ Nike Shoes http://www.nfl-jerseys.us.org/ NFL Jerseys http://www.nikeoutletonlineshopping.us/ Nike Outlet Store http://www.nike--outlet.us/ Nike Outlet http://www.nikeoutletonlineshopping.us/ Nike Outlet http://www.travis
  4. gdd said... around 1 day ago
    http://www.nikeoutletstoreonlineshopping.us/ Nike Outlet Store Online Shopping http://www.jordan11-concord.com/ jordan 11 concord http://www.yeezy-shoes.in.net/ Yeezy Shoes http://www.mlbshop.us.com/ MLB Shop コメントする http://www.mlbjerseys.us.com/ MLB
Leave a Comment

Back